Hi Bernd,
This likely occurred when stateless ticket handling was introduced in jdk 13.
For your customer situation, disabling stateless ticket by setting the system
property "jdk.tls.client.enableSessionTicketExtension" to false may cause the
server to store the session and allow resumption to operate like jdk 11.
The TLS 1.2 ticket handling should be better about receiving a hint greater
than the max, instead of just rejecting it. I don't think the client should
be storing the ticket for MAX_INT, but storing it for the max of 7 days would
be fine with me. JDK-8361108.
Thanks,
Tony
On 6/30/25 7:45 AM, Bernd Eckenfels wrote:
This OpenSSL Ticket describes the same MAX_INT liferime problem, and they Seen
to use clamping as well.
I think the change and the exakt condition is different (since it is a TLS1.3
issue for them), but the Observation that vsftpd is causing this, will allow us
to reproduce it. (I may report it to vsftpd as well).
https://github.com/openssl/openssl/issues/17948
Gruß
Bernd
Bernd Eckenfels wrote on 29. June 2025 15:27 (GMT +02:00):
We deal with a regression in JSSE regarding resumption tickets with high
lifetime.
In older versions with Java 11 the customer claimed a FTP Server was
reachable, with Java 21 the connections are rejected.
…
